Root Causes 189: What Is CA Agnostic?
Certificate Lifecycle Management (CLM) platforms can deal with certificates from a number of sources. A CLM that can provision certificates of all types from all CAs, private and public, would be described as "CA agnostic." In this episode we explain this idea and its significance along with the key criteria for choosing a CA agnostic CLM platform.
- Original Broadcast Date: November 17, 2021
Episode Transcript
Lightly edited for flow and brevity.
-
Tim Callan
This is one of our “what is” episodes, and I think this is a new term that I don't think we've used on this podcast before, but it's an important concept, and we want to explain it and define it and build a framework for you. The phrase is CA agnostic. In particular, this is in reference to the world of CLM. CLM, Certificate Lifecycle Management, the basic idea there - to define that term while we're at it - is it's a platform that you use to manage the full lifecycle of your certificate. So, and you and I have talked in the past about the four pillars of certificate automation. Those pillars are part of certificate lifecycle management. There's a new idea that's kind of catching on, some, I'd say, catching on a bit, which is the idea of a CLM being “certificate agnostic.”
So, let's define what CA Agnostic means. In short, if I can take an attempt at it, then you can change it if you want, Jay, but that simply means that your CLM is prepared to take all certificates from all CAs; so, that could be your private CA; it could be your MSCA; it could be your certificates from public certificate authorities and treat them all identically. They all have the same capabilities and they all basically have the full, robust capability of the CLM available for them, and that this needs to happen not only across CAs, but also across certificate types. So, all the different types of certificates you might use from all the different CAs. All of that needs to be handled the same way in your CLM. How do you feel about that definition?
-
Jason Soroko
That works. There's so many different ways that this could be attacked, because I think everybody has different needs. I think the one need that's in common for everybody, Tim, and this is just the one I want to add, is the fact that we - - let's establish the fact that we are living in a world where there's very few people right now dealing with just a singular certificate that can be managed manually through time.
Therefore, that's really the almost the prefix to what you've said, which is why CLM which then leads to why CA Agnostic, which is, you know, it's just, it's just too darn difficult to manage all those certificates. It's better to let a computer do it. It's better to let a good CLM, a good Certificate Lifecycle Management System deal with it. And it's not just about scheduling the renewal of the certificate, it's about the provisioning technologies, it's also about giving visibility to all your other digital identity types, as well and we'll get into that.
-
Tim Callan
For background on this, I want to strongly recommend go back to our earlier podcast called The Four Pillars of Certificate Automation and give that a listen, because that's where it really breaks it down and lays it out, and that's a great one for that background if you feel like you want to catch up a little on what is CLM and why CLM conversation. And a point that you made me earlier, Jason, that I think is important and I want to give you credit for it is that it's important to remember that when we get in the world of public CAs in particular, that public CAs are forced by regulation to do things in specific ways and to meet a specific set of minimum requirements and, as a consequence, it's not the leap that it may have been 10 years ago, to say I am prepared to treat these as peers. Right?
-
Jason Soroko
A publicly trusted certificate is a publicly trusted certificate, because of the fact that we all have to conform to a very specific set of stringent rules and so therefore, you know, that piece of x.509 formatted digital identity, you can rest assured that, you know, if it comes from a publicly trusted CA, there's an awful lot of scrutiny that's gone in to allow it to do the same thing from CA to CA. Therefore, regardless of where that SSL certificate came from, it's a publicly trusted certificate.
-
Tim Callan
There is a corner case, which is, if you were using DigiNotar or Certinomis, shortly before their roots were distrusted, then that wouldn't be the same, but that's unusual. And that's something the individual subscribers can make their own judgments about but if they've decided they're prepared to hitch their wagon to the CA, then they need to be able to do the things with those certs that they need to do.
-
Jason Soroko
Tim, just with what you're saying that's probably reason number one, why you'd need probably the fundamental reasoning behind a CA Agnostic.
-
Tim Callan
Second sourcing.
-
Jason Soroko
So, let me give you a good example, right. Consortia do this all the time. They dual source quite often. They have a redundant CA vendor list because of the fact that they want to be able to stay operational, regardless of a Certinomis or DigiNotar event.
-
Tim Callan
Right, and the basic idea is I actually use this other CA in production enough that I'm confident that everything's okay and all I have to do is put a zero at the end of my order next time. And so, in that sense, yeah, and once again, that means that it's a not a universal practice, but certainly a frequent practice for somebody to run more than one public CA with that exact scenario in mind.
-
Jason Soroko
So, to put a really fine point on it, Tim, CA Agnosticism has actually been around an awfully long time. It just, perhaps we didn't call it that. The reason why the term is becoming important right now is because we're specifically using the term with reference to your Certificate Lifecycle Management system, and so therefore, we're trying to blend this idea together of, you're probably dealing with more certificates than you can deal with from a manual standpoint, they're going into complicated places, they need provisioning technologies. In other words, you need that CA, you need all the things a good CLM is giving you and at the same time, being agnostic to the CA has its reasonings. I think, Tim, what we really want to do here is after we make that first point of what is the root meaning of CA Agnostic, what I’d like to offer the audience is the next three points of when you are doing your CLM procurement, I really want you to challenge your CLM vendor on whether or not they conform to these next three points.
-
Tim Callan
So in other words, these are, what you would say are important requirements for a CLM platform?
-
Jason Soroko
That’s exactly right, Tim. To make it blunt, that's exactly it. So, if you don't mind, I can start going through these points.
-
Tim Callan
Number one.
-
Jason Soroko
Number one. The CLM vendor that you're talking to, if they're not also a CA in themselves, by definition, they are requiring their customers to then go out to and to have to basically deal with another CA and so therefore, this whole question around dual sourcing, having to deal with multiple contracts, sometimes having to go out and physically talk to the other vendor, it just creates more work and so therefore, there's a bit of a disconnect within that procurement process.
-
Tim Callan
So, is there a one stop shop option? That's what you're saying?
-
Jason Soroko
To put it really simply, yes.
-
Tim Callan
Now, obviously, it’s CA Agnostic, which means that one stop shop is not forced down your throat. It's not required and if you want to use sources from other CAs, go for it. But the idea is you should have that option available if that’s what you choose.
-
Jason Soroko
In an ideal world, you would be getting your Certificate Lifecycle Management from a vendor who is also a CA, and therefore that's the cleanest procurement process you could have.
-
Tim Callan
Yeah, and it's the classic they're not gonna blame each other kind of thing, right? Because there's only one it so you can't say, oh, we're fine. The problem’s over there. No, we're fine. The problem’s over there. No, because it's all you and you are responsible for making the whole walled garden work correctly.
-
Jason Soroko
Yeah, and that walled garden has a lot of detail behind it. You can imagine the deepness of the integration of the API to the actual issuance platform. We can get into the weeds here, but it's very important to note that a CA who also has a CLM probably has the deepest roots possible and obsesses over making sure that those integrations are as good as possible. So that's another side advantage to that as well.
-
Tim Callan
Great. Okay, so that's number one, one stop shop option. What's number two?
-
Jason Soroko
Sure, Tim. This comes down to the focus on machine identities by some CLM vendors. If your CLM vendor is really, really focused solely on machine identities, that means that you as a customer have to choose another CLM for human identities and other identities that are not necessarily coming under that umbrella of machine identities. Therefore, if we go back to point one, a CA that has a CLM offering covers not only machine identities, but all other identities. That's your ideal world.
-
Tim Callan
Okay. So again, let me try a paraphrase of this. Certificates, identities, and keys come in a variety of forms that are likely to be necessary to the successful operation of your enterprise, and you want a CLM platform that will support the full length and breadth of them.
-
Jason Soroko
That's right, Tim. In other words, it really it isn't just going to be about your SSL certificates. You're going to be dealing with all manner of digital identity types for authentication, etc. Dealing with a vendor that can handle all of it is going to be your ideal world.
-
Tim Callan
Gotcha. That's number two. What's number three?
-
Jason Soroko
This is the future proofing point, Tim. If you're doing procurement of CLM technology, you want to have a CLM vendor that not only is also a CA, not only can also handle human identities, but has a technology breadth, and a proven innovation cycle that can grow along with you. We've had so many podcasts, Tim, about use cases that didn't even exist four or five years ago, and in two, three, four, five years, I guarantee we're gonna have new PKI use cases that are going to require a CLM that needs to grow along with those new enterprise use cases. Let me just rhyme off a few that people might not think about here, the various kinds of open-source provisioning technologies that exist right now didn't exist three, four years ago. I'm talking about things such as EST, things like ACME. Dealing with a vendor that that's there with you that who knows how to deal with those open-source systems and has integrated them deeply, that's a CLM vendor you want to work with. Additionally, let's rhyme off some of the other use cases really quickly. Digital signing, SSH, not just keys, but SSH certificates. DevOps, not only for issuance, but also for monitoring and credential vaults, IoT, and Tim, of course I'm always biased. I bring up this topic all the time, but it's gonna be important: quantum resistance.
-
Tim Callan
Quantum resistance. I recently, jokingly rebuked you for not working quantum resistance into a list and you got it this time.
-
Jason Soroko
So, what I'm saying, Tim, is if you relook at that list I just gave you, I would take down that list if you're doing any kind of procurement of CLM. Challenge your vendor and say, hey, vendor, what's your innovation plan for each of these areas?
-
Tim Callan
What’s your track record? That's a very important point, Jay. Which is to say, you're going to settle on a platform and you're not going to want to change. You're going to want the platform that’s still serving you four years from now and you need to be confident that it is going to stay current with the important developments and innovations in the PKI industry.
-
Jason Soroko
That is so important. I think, you know, PKI is absolutely everywhere. It's utterly ubiquitous. It's only going to become more so. If you'd look at what all the consortia are doing, if you take a look at where - - Tim, we were just talking about COVID passes in Europe. It's PKI, right? It's absolutely everywhere and so therefore, every single use case we're gonna be talking about the future, regardless of the of the device type. Regardless of the human authentication type, this is where the world's moving, you want to be dealing with a CLM vendor that is going to grow along with you. This is not something you're going to want to rip and replace down the road. It's a very important fundamental piece of architecture. Think, Tim, about all those people right now who put in a Microsoft CA who are now absolutely looking for technologies to help to augment that. Are you dealing with a CLM vendor that's helping you to do that?
-
Tim Callan
That's a great example. Microsoft CA. Back in the day when you implemented Microsoft CA initially in whatever it was, the late 2000s, 2010, something like that. Everybody thought this is great and robust, and I have no worries about security. But time marches on, and suddenly there are a lot of worries about security and how you're going to make sure that you've got a future proofed PKI system going forward.
-
Jason Soroko
So, Tim, to summarize this, CA Agnostic at its heart means that all publicly trusted certificates are publicly trusted and they're the same. That's the same kind of x.509, that ultimately at the end of the day will do the same thing. What is very different is the management of those certificates, and that's why I wanted to have this special podcast talking about making sure that when you're making that super important, fundamental infrastructure choice of a Certificate Lifecycle Management System, you're choosing a CLM that can stretch deep, deep into the future for all those future use cases of how you're going to use digital identities.
-
Tim Callan
That's an excellent point. In addition to the kind of the feature functionality that you're probably going to look at, what are the speeds and feeds and what checkmarks are in what columns, also think about these other three things that you said. Which is, is a one stop shop option available? That was number one. Number two. What was number two, Jay?
-
Jason Soroko
Number two basically was some CLM vendors will really focus on machine identity and will not extend past that to all the other identities.
-
Tim Callan
To extend the full set of identities that you need to consider and then number three is how are they future proofing, how are they developing with the rapidly changing, cryptographic and PKI industry that we're dealing with today.
-
Jason Soroko
You got it. Tim.
-
Tim Callan
Got it. I think those are great. Three great rules and that's what CA Agnostic is. I think that's probably a term that we'll be entering into our vocabulary in this podcast. And you'll be hearing it again.
-
Jason Soroko
Yeah, absolutely. Tim we will probably do a deeper dive onto some of these topics but that was an intro podcast to the topic.